Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: Argo CD: pull OIDC clientID and issuer from existing secret #2199

Open
jessebot opened this issue Aug 2, 2023 · 4 comments
Open

feature: Argo CD: pull OIDC clientID and issuer from existing secret #2199

jessebot opened this issue Aug 2, 2023 · 4 comments
Labels
argo-cd awaiting-upstream Is waiting for a change upstream to be completed before it can be merged. enhancement on-hold

Comments

@jessebot
Copy link
Contributor

jessebot commented Aug 2, 2023

Is your feature request related to a problem?

Right now we have to specify the oidc issuer and clientID directly in plain text via the values.yaml when applying the argo-cd helm chart. It's possible to specify a clientSecret in another secret, but not the clientID or issuer. This information is still considered private, so it'd be good to have this obscured.

Related helm chart

argo-cd

Describe the solution you'd like

I'd like to see the issuer and clientID also optionally called from an existing secret, in the same way that we can specify a clientSecret in another secret, example currently:

    oidc.config: |
      name: provider
      issuer: https://my.domain/realms/coolrealm
      clientID: argocd
      clientSecret: $argocd-provider:oidc.provider.clientSecret
      requestedScopes: ["openid", "profile", "email", "groups"]
      requestedIDTokenClaims: {"groups": {"essential": true}}

Proposed update:

    oidc.config: |
      name: provider
      issuer: $argocd-provider:oidc.provider.issuer
      clientID: $argocd-provider:oidc.provider.clientID
      clientSecret: $argocd-provider:oidc.provider.clientSecret
      requestedScopes: ["openid", "profile", "email", "groups"]
      requestedIDTokenClaims: {"groups": {"essential": true}}

Describe alternatives you've considered

An alternative would be to just allow for an existingSecret for OIDC credentials where issuer, clientID, and clientSecret are all defined keys.

Additional context

This would make everything a bit more secure and allow for more open sourcing of Argo CD configurations without exposing any useful information for attackers.
@mkilchhofer
Copy link
Member

Did you test your proposed solution already? If its not yet implemented inside the code, you have to file a feature request in the upstream project repo over there:
https://github.com/argoproj/argo-cd

@jessebot
Copy link
Contributor Author

jessebot commented Aug 4, 2023
edited

@michaelvl I did not! Sorry about that. Should I close this one or wait till the other one is responded to in the other repo? :)

@jessebot jessebot mentioned this issue Aug 4, 2023
Open
@mkilchhofer mkilchhofer added the awaiting-upstream Is waiting for a change upstream to be completed before it can be merged. label Aug 8, 2023
@mkilchhofer
Copy link
Member

Should I close this one (..)?

We can leave it open, it doesn't matter 👍

@github-actions
Copy link

github-actions bot commented Oct 8, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Oct 15, 2023
@mkilchhofer mkilchhofer reopened this Oct 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
argo-cd awaiting-upstream Is waiting for a change upstream to be completed before it can be merged. enhancement on-hold
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jessebot @mkilchhofer @yu-croco